Problem:
I’ve got a running Foreman/Puppet installation to manage our environment. Foreman is mainly used a means to visualize Puppet data (reports, facts). It runs on a single machine (“puppet .domain.com”). Some time ago we’ve also set up a Salt master server on a different machine (“salt .domain.com”). It also has the Puppet agent installed, which was used to configure the Salt master.
Now I wanted to add this Salt master to the Foreman setup running on the Puppet host (both are Debian Buster). So I first installed the ruby-foreman-salt package on the Puppet host, followed by installation of ruby-smart-proxy-salt and salt-api on the Salt host.
On the latter, I also changed the following files:
- /etc/salt/foreman.yaml:
:proto: https
:host: puppet .domain.com
:port: 443
:ssl_ca: “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
:ssl_cert: “/etc/puppetlabs/puppet/ssl/certs/salt.domain.com.pem”
:ssl_key: “/etc/puppetlabs/puppet/ssl/private_keys/salt.domain.com.pem”
:timeout: 10
/usr/bin/salt
:upload_grains: true - /etc/foreman-proxy/settings.yml:
:settings_directory: “/etc/foreman-proxy/settings.d”
:trusted_hosts:
- puppet .domain.com
:daemon: true
:bind_host:
- 0.0.0.0
:http_port: 8000
:ssl_ca_file: “/etc/puppetlabs/puppet/ssl/certs/ca.pem”
:ssl_certificate: “/etc/puppetlabs/puppet/ssl/certs/salt.domain.com.pem”
:ssl_private_key: “/etc/puppetlabs/puppet/ssl/private_keys/salt.domain.com.pem” - /etc/foreman-proxy/settings.d/salt.yml:
:enabled: true
:autosign_file: /etc/salt/autosign.conf
:salt_command_user: root
:use_api: true
:api_url: https://localhost:9191
:api_auth: pam
:api_username: saltuser
:api_password: secretpassword - /etc/salt/master.d/api.conf:
external_auth:
pam:
saltuser:
- ‘@runner’
rest_cherrypy:
port: 9191
host: 0.0.0.0
ssl_key: /etc/puppetlabs/puppet/ssl/private_keys/salt.domain.com.pem
ssl_crt: /etc/puppetlabs/puppet/ssl/certs/salt.domain.com.pem - /etc/salt/master.d/local.conf:
ext_pillar:
- puppet: /usr/bin/foreman-node
master_tops:
ext_nodes: /usr/bin/foreman-node
permissive_pki_access: True
…
Note 1: All the SSL keys/certs above are those of the Puppet agent on salt .domain.com, since this is how I understood the documentation.
Note 2: This editor eats indentation, regardless of whether using block quote or preformated text. None works as expected. So consider all files properly indented.
I finally restarted the salt-master and and foreman-proxy services on salt .domain.com as well as foreman and foreman-proxy on puppet .domain.com.
I could then add the Salt proxy in the Foreman UI, but running foreman-node (on salt .domain.com) fails with an SSL error:
# foreman-node minion .domain.com
Couldn’t retrieve ENC data: Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)
and none of the Salt minions show up in the Foreman UI.
Expected outcome:
Minions should show up in the Foreman UI
Foreman and Proxy versions:
Foreman: 2.3.3
Salt Proxy: 13.2.4
Foreman and Proxy plugin versions:
# dpkg --list|grep proxy-salt
ii ruby-smart-proxy-salt 3.1.2-1 all SaltStack Plug-In for Foreman’s Smart Proxy
ii ruby-smart-proxy-salt-core 0.0.3-1 all SaltStack Plug-In core for Foreman’s Smart Proxy
Distribution and version:
Debian 10.8 (Buster)
Other relevant data:
Not sure what to put here in this case. Please ask.
Note 3: I needed to add blanks to all hostnames, as otherwise the were interpreted as links and summed up to more than 5.
Thanks in advance…